FTK Filters are Your Friend

I have been working on a forensic investigation of about 20 Windows Server 2008 R2 VMs using FTK 4.2. FTK makes examining many systems manageable. One feature that has saved me a tremendous amount of time is the Filters feature. Filters allow you to quickly, well, filter, out wanted or unwanted files that meet your defined criteria.

I used this feature to help me quickly find two types of files: The Windows security event file and an Apache access.log file (yes, Apache web server will run on Windows). These two files contained evidence that I needed to examine further. To quick grab these files from the disk images, I created two filters.

In FTK 4.2, to create a filter, once you have FTK open to your workspace (you have logged in and selected your image set to work with- if required), click the “Filter Manager” button:

Screenshot-2013-07-12_16.13.59

You will get a new dialog box where you can select a pre-made filter, or define a new one. You can even import a filter:

Apply Filters

If you do not see a filter you want to apply, you can create a new filter by clicking the “Create a new filter” button in the lower left hand corner:

Add Filter Button

Once you click the “Create a new filter” button, you will be shown a new screen where you can begin to build your filter using FTK’s options. In the picture below, I have built an “access.log” filter:

Create Filter

Once you are done creating your filter, click Save and then Close. FTK allows you to preview the results of the filter as you build it if you check the “Live Preview” check box. One other item of note. Near the bottom of the above screen, you will notice a pair of radio buttons: “Match Any” and “Match All.” “Match Any” is essentially an “OR” operator between each of the rules defined. “Match All” is an “AND” operator between each rule. Remember this option as I forgot to set it correctly and could not figure out why my results were wrong. Experiment with the various rule properties as there are a ton of them.

One cool feature about FTK is the ability to import rules someone else has created. You can do this by clicking the “Import a filter from a xml file” button:

Import Filter

I’ve included the filter XML files for the filters created in this tutorial below. Just copy and paste the code below into a text document and save it with an XML extension. Import these files into FTK:

access.log filter:

<?xml version="1.0" encoding="UTF-8"?>
<exportedFilter xmlns="http://www.accessdata.com/ftk2/filters"><filter name="access.log" matchCriterion="all" id="f_1000004" read_only="false" description="Access Logs"><rule position="0" enabled="true" id="a_9001" operator="starts_with_caseignore"><one_string value="access"/></rule><rule position="1" enabled="true" id="a_9185" operator="is"><one_string value="log"/></rule><rule position="2" enabled="true" id="a_9009" operator="is_greater"><one_int value="0" unit="bytes"/></rule></filter><attribute id="a_9001" type="string"><table>cmn_Objects</table><column>ObjectName</column></attribute><attribute id="a_9009" type="int"><table>cmn_ObjectFiles</table><column>LogicalSize</column></attribute><attribute id="a_9185" type="string"><table>cmn_ObjectFiles</table><column>Extension</column></attribute></exportedFilter>

Windows Security Event Logs security.evtx:

<?xml version="1.0" encoding="UTF-8"?>
<exportedFilter xmlns="http://www.accessdata.com/ftk2/filters"><filter name="Security.evtx" matchCriterion="all" id="f_1000000" read_only="false" description="Security Event Logs"><rule position="0" enabled="true" id="a_9185" operator="contains"><one_string value="evtx"/></rule><rule position="1" enabled="true" id="a_9001" operator="starts_with_caseignore"><one_string value="security"/></rule></filter><attribute id="a_9001" type="string"><table>cmn_Objects</table><column>ObjectName</column></attribute><attribute id="a_9185" type="string"><table>cmn_ObjectFiles</table><column>Extension</column></attribute></exportedFilter>
This entry was posted in Forensics and tagged , , , . Bookmark the permalink.

Leave a Reply